OpenSSL CMS Sign and Verify
I have been assigned an application that is a few years old now, written by people who are no longer at the company. There is little-to-no documentation on processes or code.
It signs firmware for a System to accept, while digging through its source code it appears to sign and verify with the following commands:
Sign:
openssl cms -engine pkcs11 -keyform engine -sign -inkey 'pkcs11:token=xxxxxxxxxxx;type=private' -signer 'certificate.pem' -md SHA256 -out out_file -in in_file.txt -outform DER -binary
Verify:
openssl smime -verify -binary -inform der -in in_file.txt -content other.txt -certfile cert.pem -CAfile ca_cert.pem
So, ultimately, this application signs the firmware with the above command. Now that the firmware is signed, it can be uploaded to this other system (that holds the public key/cert) that checks that the uploaded firmware has a valid signature on it.
I am not a security/encryption expert, so I am trying to figure out why they used the smime/cms code.
Why don't they just use the private key to sign a hash of the firmware, and then return the signed hash, and the valid firmware. Which can then be uploaded to the system which holds the public key, that can decrypt/verify the signature, and if it is able to then accept the payload?
What advantages does using the CMS commands offer? Specifically, I am trying to understand what the above sign command is actually doing. It appears to take a certificate, and a weird pkcs11 token inkey sort of thing. I am not familiar with this format, or what it does.